By Remmie Butchko , CIC
Georgetown Insurance Service, Inc.
Silver Spring, MD
As I wrap up my 5-part series on cyber risk and awareness I wanted to conclude by covering one of the most important issues we all face in business and in our personal lives, which is managing the risks associated with E-Commerce. E-Commerce can be defined as any commercial transaction which is handled electronically on the internet.
We are not computer experts. We are insurance professionals, but here are some areas where we have seen weaknesses or mistakes in managing Cyber Risks related to E-Commerce.
Do not leave the responsibility of purchasing Cyber Insurance to your IT personnel. Most business owners we discuss Cyber Risks with defer the matter to their IT staff. The IT staff always thinks everything is under control, so why purchase insurance? Everything is perfect until it is not. Hackers find new and inventive ways to breach systems all the time, you or your business could be one of the first to be breached with a new hack before patches or solutions are in place.
Assess your exposure to a breach. How many records do you have of Personally Identifiable Information (customers, employees, prospective customers, etc.)? Where is the data and how is it stored? Can it be accessed by laptop computers or mobile devices? The dollar impact of just notification costs can be huge. It is important to assess where you could be hacked, so you can eliminate loopholes and plan accordingly.
Test your own operations. It might seem mundane, but try to breach yourself. Assess what your employees are doing and how they are handling customer data, passwords, and e-commerce. I’ve heard of businesses cleaning out ex-employee’s offices and finding numerous login ID’s and passwords underneath mousepads, keyboards, or just taped to their desk or monitors, including their own personal data. Using secure password protected lists, password protection programs, and two-step authentication are a few options to explore.
Read your contracts. Many people think they are not exposed to Cyber Risks because the functions have been outsourced to third party vendors. The risk transfer in these contracts has become very sophisticated, and you are responsible for more than you think. In particular, be sure to search for “Limitation of Liability” clauses. Discussing contracts with your legal team is also a good business practice.
Watch the paper. It seems silly to discuss paper management when talking about Cyber Risks, but people still use pen and paper. Are employees documenting Personally Identifiable Information over the phone? Writing down credit card information? Social security numbers? Driver’s license numbers? Names, addresses and email addresses? Unfortunately, in today’s world nothing is secret, but everything needs to be handled as if it were Top Secret. Document shredding services are available and most offer onsite shredding so they are destroyed before leaving your premises.
These are just a few items to take into consideration, and unfortunately in the new world of e-commerce and the risks associated with it, it will probably become more complicated as time marches on. Discuss cyber risk insurance with your agent and make sure you have coverages in place to keep your business protected.